Vegard Nossum wrote:>I don't know if this could be used in some malicious way. Maybe if a setuid>root program tried to open a user-supplied file (which could be this one in>/proc), it could crash the program quite easily. But since there is no way>to change the contents of the file... I don't know.

You don't necessarily need control over the values that are written pastthe end of the buffer to exploit a buffer overrun bug. If those valuesare semi-random but predictable, it may still be possible to exploit thevulnerability by arranging to stash malicious code at the address that thereturn address will be overwritten with. Even if those values are randomand not predictable, it may still be able to fill a large fraction of theaddress space with malicious code and thus have a significant probabilityof successful exploitation. See, e.g., NOP sleds, heap spraying, heapfeng shui. I would not want to rely on this bug being difficult to exploit.

Bottom line: I suspect it would be prudent to assume this bug may befully exploitable.